From the Blogs IT Security Skills Anyone Can and Should Learn URL: dalewifisec.wordpress.com/2015/02/07/it-security-skills-anyone-can-andshould-learn Author: Dale Rapp Blog: DALESWIFISEC—dalewifisec.wordpress.com I’ve been teaching IT security awareness for several years and I try to get those in attendance of the classes to learn some basic IT security skills. These basic skills build on each other and there is some cross over, but ultimately this blended set of security skills can help anyone stay safe online. As with any sport you always start by learning the fundamentals, and while no one skill can get you into the game or keep you safe online, they can definitely make you ready for either. 1) Physical Security With free Wi-Fi available in coffee shops and many fast food restaurants I constantly see people leaving their devices unattended and this lapse can allow someone to walk off with the device unnoticed. Think about your device and the amount of data it may contain. The device may have your whole world stored on it! If someone takes your laptop, tablet, or phone, it is so much more than having the device stolen, but the data it contains. In addition to this Wi-Fi example, other times when you must pay attention to your device is when going through airport security or leaving the device in plain sight while stored in the car. These situations can also expose the device to being stolen, so physical security is a great starting point and a must have skill for overall IT Security. 2) Do Not Accept the Defaults One of the most basic rules of security, but at the same time one of the most abused, is not changing settings from the vendor defaults. The excitement of getting a new device and wanting to use it as soon as possible can cause people to rush through the setup and accept defaults with the promise to return later to change the settings. Unfortunately, the promise to return and change the settings never happens and beginning to use the device before setting it up properly has
created a security risk. For example, just plugging in a wireless router with its default settings is like forgetting to lock the door when you leave the house. Many wireless router administrative guides can be downloaded from the manufacturer’s web site and these guides include default settings for the admin password or encryption key settings. Another problem related to accepting the default settings is not checking for or applying updates. Whether during the initialization phase or during the life of the device, not applying these updates can render the device vulnerable to the security holes the updates were meant to patch. Many devices are insecure out of the box so take the time to secure them. 3) Sense of Urgency When I teach email security awareness, a common theme with scams is the sense of urgency being portrayed in the emails. Many of these “don’t think just click” type scams also show up in social media sites and text-based scams. The sense of urgency scams will try to get people to click or react without thinking about what they are doing. Some scams will have an emotional pull, such as someone you care about being in trouble, or losing access to your bank account, or even to let you know that you’ve won a prize. Before you know it, your judgment is clouded and you clicked and responded. There was a great awareness campaign started a few years ago called STOP THINK CLICK and those three words can make a big difference when responding or better yet not responding to these types of scams. 4) It Won’t Happen To Me I hear “it won’t happen to me” or “I would not fall for that trick” all the time, and I have even said those same statements myself! Online scams are always evolving and new scams show up all the time, so always be alert and never let your guard down. If something seems out of place, start asking yourself some questions; does this person typically send this to me, why does my bank need me to verify my password, should I be logging into my email on unsecure Wi-Fi, why does this app need access to text messages and phone calls? After asking some questions you can make an informed decision, and if something just doesn’t feel right trust your gut that it isn’t right!
5) Social Networks There is no such thing as private on social networks and anything you post your friends can share with the world! Conclusion It is not required that everyone be IT security experts to be safe online, but knowing some basic skills and practicing the skills can help anyone protect themselves. So after learning and practicing your IT security skills go outside and practice throwing, fielding, and hitting because the Yankees are looking for a new short!
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ Chapter Review In this chapter, you learned about the foundational security concepts that are essential to understanding the remaining chapters of the book. You explored the importance of security and the terminology commonly used in relation to Wi-Fi security. You also reviewed the different types of networks and the security requirements they may have. Finally, you explored the relationship of the OSI Model to security. Facts to Remember Be sure to remember the following facts as you prepare for the CWSP certification, and be sure that you can explain the details related to them: All wireless security designs should include assurance of confidentiality, integrity, and availability (CIA). RF boundaries do not end at the walls of your facility. Consideration of the reach of your WLAN signal is important. A primary role of WLANs is network extension—even in modern networks. Everything you learned in relation to security while studying for the CWNA is still important for the CWSP candidate. Three key organizations drive the standards and certifications in relation to 802.11 security solutions: IEEE, Wi-Fi Alliance, and IETF. Home office networks should still ensure proper security. At the very least, they should use WPA- or WPA2-Personal. Small business networks vary greatly, but they should employ proper security solutions based on their budgetary constraints: WPA/WPA2 Personal or Enterprise, captive portals, and proper permissions on the available network resources. Large, modern enterprise networks nearly always use 802.1X/EAP for authentication. You will encounter legacy client devices that force you to make the best security decisions you can with what you have to work with. When possible, you should try to get legacy client devices replaced with devices that can support current security methods. Public networks must consider the security needs of the customer. Be sure to show a terms-of-use agreement that removes all responsibility from you for any incident that may occur while visitors are connected to your network.
■ ■ ■ ■ ■ ■ When working from remote locations, consider using VPN technology. Many enterprises require VPN. It often helps to think of the security technologies in relation to OSI Model layers. Many vendor documents refer to their technologies in this way. Wireless networking happens at the Data Link layer and the Physical layer, but it is important to understand how other layers are impacted by security measures. Wireless security is just one component of overall organizational network security. Whether the wireless network in question is small or large, security needs may well change over time. Network security is never a finished product. The 802.11 standards place great emphasis on backwards compatibility, which creates its own share of security concerns by allowing legacy devices to be accommodated on new networks.
1. a. b. c. d. 2. a. b. c. d. 3. a. b. c. d. 4. a. b. c. d. 5. a. b. c. d. 6. a. b. c. d. 7. a. Chapter 1: Review Questions Wireless network security is built on the foundational concept of CIA, which stands for what? Configurations, Integrity, Applications Confidentiality, Integrity, Availability Configurations, Integrations, Availability Confidentiality, Integrations, Applications The original WEP encryption specification used a key of which construct? 24-bit key with 40-bit Initialization Vector 40-bit key with 24-bit Initialization Vector 64-bit key with 24-bit Initialization Vector 104-bit key with 64-bit Initialization Vector The 802.11i amendment does not allow which of the following? Shared Key Authentication Open System Authentication Four-way Handshake The use of STAs for WLAN The concept of RSNA came about with __________ and stands for _________. 802.1X, Reasonably Secure Network Association. 802.11X, Robust Secure Network Association. 802.11i, Reasonably Secure Network Association. 802.11i, Robust Secure Network Association. Which of the following is true regarding wireless networks? Wireless networks are easily confined. Wireless networks are considered to be unbounded. Wireless networks are immune to eavesdropping Wireless networks cannot be heard by authorized clients and intruders. Which of these are a legitimate concern for personal usage threat assessment? Intruders may exploit open wireless networks. Intruders may compromise data base servers. Intruders may access open switch ports. Intruders may install rogue wireless access points. Why are wired networks at risk from poorly secured 802.11 networks? Users associate to both wired and wireless networks simultaneously.
b. c. d. 8. a. b. c. d. 9. a. b. c. d. 10. a. b. c. d. 11. a. b. c. d. 12. a. b. c. d. 13. a. b. c. d. Wired networks extend wireless networks. Wireless networks extend wired networks. It is very easy to eavesdrop on wired networks. Which organization promotes wireless networking and has been instrumental in Wi-Fi interoperability? IEEE IETF Wi-Fi Alliance Wi-Fi Institute WPA2 Enterprise makes use of which non-wireless standard? 802.1X 802.3X 802.11X PPTP Shared Key Authentication uses ______ management frames, while Open Authentication uses _____ management frames. 2, 4 4, 2 4, 6 2, 6 Which of these is a valid reason why wireless networks need robust encryption? Many application layer programs use secure protocols. Undetected eavesdroppers can intercept traffic between authorized wireless stations. Wireless networks are becoming very popular for server connectivity. Intruders might piggyback on your wired network. Two examples of Virtual Private Network protocols are: WPA2, CCMP PPTP, CCMP IETF, IPSec IPSec, PPTP The Wi-Fi Alliance currently tests client devices for compatibility with how many EAP types? 4 8 16 18
14. a. b. c. d. 15. a. b. c. d. 16. a. b. c. d. 17. a. b. c. d. 18. a. b. c. d. 19. a. b. c. d. 20. a. b. c. A wireless network security method or practice that is no longer recommended because it has been found to be weak is said to be_______. Deprecated Retired Suspended Abandoned At which OSI layer does RF in WLAN environments work? Layer 7 Layer 4 Layer 2 Layer 1 WPA uses what encryption? CCMP/AES TKIP/RC4 CCMP/RC4 TKIP/AES Which of the following are likely to be used in enterprise wireless networks? 802.1X 802.11 802.3 All of the above Which of the following should not be used on secure business wireless networks? WPA2 CCMP Shared Key Authentication Open System Authentication During active scanning, a client transmits a ______ and the access point responds with a _________. Key request, key response Keep alive, acceptance packet Authentication, acknowledgement Probe request, probe response The three fundamental building blocks of RADIUS are: Supplicant, Authenticator, Authentication Server Client, Encryption Server, Authenticator Supplicant, Authenticator, Gateway Router
d. 21. a. b. c. d. 22. a. b. c. d. 23. a. b. c. d. 24. a. b. c. d. 25. a. b. c. d. Client, Authenticator, Authentication Server A recommended example of reducing your attack surface is: Using additional switches and APs Removing all network devices Enabling many network services to confuse attackers Disable unused administrative services and change default passwords Which organization is associated with RFCs? IEEE IETF CWNP Wi-Fi Alliance Which of these are valid VPN protocols? PPTP, L2TP PPTP, IETF CCMP, L2TP SMTP, PPTP Which of the following utilizes a clear text challenge that makes it weak and therefore a poor choice for wireless security? Shared Key Authentication Open System Authentication Shared System Authentication Open Key Authentication Which of the following is NOT a typical security concern when using a public Wi-Fi hotspot? Someone looking over your shoulder Compromised switch ports Eavesdropping Peer to peer attacks
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. Chapter 1: Review Answers B is correct. Confidentiality, Integrity, and Availability are design tenants of wireless (and wired) network security. B is correct. The 40-bit key/24-bit IV combination is generally referred to as 40- bit WEP, but sometimes to as 64-bit WEP. A is correct. Shared Key Authentication is not allowed by 802.11i. D is correct. The concept of the Robust Secure Network Association was introduced with 802.11i. B is correct. Propagating in free space, wireless networks are considered unbounded. A is correct. The key word in the question is “personal.” Individual users are at risk on open wireless (hotspot) networks. C is correct. Wireless networks extend the wired network and can provide an attack vector against the LAN. C is correct. The Wi-Fi Alliance has interoperability and promoting wireless use as two of its primary focuses. A is correct. Remember that 802.1X is not a wireless standard, but it works elegantly with secure 802.11 networks. B is correct. Shared key authentication has four management frames while open authentication has two. B is correct. Given that there is no way to detect eavesdropping, encryption renders intercepted traffic useless to the intruder. D is correct. IPSec is one of the most common VPN types in service today. PPTP is valid, but its use is discouraged. B is correct. There are currently 8 EAP types included in the Wi-Fi Alliance’s compatibility testing regimen. A is correct. The word “deprecated” is quite popular in networking when a feature or command is considered obsolete.
15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. D is correct. WLAN works at Layer 1 (RF) and Layer 2 (data frames). D is correct. TKIP is exclusively used in WPA while AES is used in both WPA and WPA2. D is correct. 802.1X (security), 802.11 (WLAN), and 802.3 (Ethernet) are all part of the enterprise WLAN environment. C is correct. Shared Key Authentication is a relic of early 802.11 and has been deprecated. D is correct. As a CWSP (or CWNA) you will get well familiar with probe requests and probe responses. A is correct. These are the proper terms for RADIUS components. D is correct. Reducing your attack surface results in a smaller overall number of targets that attackers might attempt to exploit. B is correct. Regardless of which technology is being discussed, the IETF is responsible for RFC documents. A is correct. Of all listed, only PPTP and L2TP are valid VPN choices. A is correct. The clear text challenge is the main reason that Shared Key Authentication was deprecated. B is correct. Switch ports are not typically exposed in public Wi-Fi situations.
1.1 1.2 1.5 Chapter 2: Wireless Security Challenges Objectives Describe general network attacks common to wired and wireless networks, including DoS, phishing, protocol weaknesses, and configuration error exploits. Recognize common attacks and describe their impact on WLANs, including PHY and MAC DoS, hijacking, unauthorized protocol analysis and eavesdropping, social engineering, man-in-the-middle, authentication and encryption cracks, and rogue hardware. Explain and demonstrate the security vulnerabilities associated with public access or other unsecured wireless networks, including the use of a WLAN for spam transmission, malware injection, information theft, peer-to-peer attacks, and Internet attacks.
After you understand the fundamental security concepts that are discussed in the first chapter, you can begin to investigate the specific security challenges related to 802.11 networks. This chapter addresses several specific topics important to the WLAN security professional. It begins with an exploration of network discovery processes. As with Chapter 1, you may notice overlap with CWNA materials throughout this chapter as we add depth to security-related topics from CWNA. We begin with examining the process that an attacker or security auditor would go through to locate WLANs. Next, the chapter investigates questionable recommendations that actually result in a false sense of security. These are called pseudo-security solutions and are as important to be aware of as legitimate security measures. We will progress with legacy security mechanisms that should no longer be used, along with basic network attack methods. Finally, we will consider a number of recommended practices as we begin the process of learning how to secure against the types of attacks mentioned in this chapter. There is a lot of ground to cover in Chapter 2, with much that is relevant to the daily work and worry of the typical CWSP working on wireless networks. Passive WLAN Discovery 802.11 wireless network discovery is foundational to wireless network security associations. The wireless discovery process consists of passive scanning or active scanning, or both. As with many things related to 802.11 wireless, network discovery is both important for its overall functionality and as a potentially exploitable juncture in WLAN operations. Passive discovery uses Beacon management frames, which are transmitted at regular intervals—usually every 100 “time units” or “TU’s”. One-time unit is equal to 1,024µs (microseconds). Therefore, the average Beacon interval is 100 times 1,024µs or roughly 100ms (milliseconds), or 102.4ms to be exact. Though Beacon intervals are adjustable on enterprise wireless APs, the 100ms interval tends to be the de facto default value across most WLAN products. This time interval between beacon intervals is also known as the Target Beacon Transmission Time, or “TBTT”. You may recall from CWNA that during passive discovery, wireless client devices listen for Beacons. Clients use Beacons to identify available wireless networks and their characteristics, including the type of security that each network is capable of. From a security perspective it is important to understand what information is, and is not, broadcast in Beacon management frames. Beacons contain a frame body that includes fixed fields and information elements. The security information elements (IEs) that appear in Beacon frames depend on the type of security mechanism for which the network is configured, such as TKIP/RC4 (WPA) or CCMP/AES (WPA2).
■ ■ ■ ■ Devices that are certified for Wi-Fi Protected Access (WPA) include a WPA information element in Beacon management frames. To client devices, this information element identifies the supported security features, including the authentication methods, whether passphrase or 802.1X/ EAP, the encryption type, which is Temporal Key Integrity Protocol (TKIP), and the RC4 stream cipher. Devices that are certified for Wi-Fi Protected Access 2 (WPA2) include a Robust Secure Network (RSN) information element in Beacon management frames. To client devices wishing to associate, this information element identifies the supported security features, including the authentication methods that are either passphrase or 802.1X/EAP, the encryption type which is Counter Mode Cipher Block Chaining Message Authentication Code Protocol, Counter Mode CBC-MAC (CCMP), and the Advanced Encryption Standard (AES) block cipher. Keep in mind that the 802.11i amendment that defined RSN parameters allowed TKIP/RC4 for backward compatibility in an RSN network. (As mentioned in Chapter 1, the notion of backwards compatibility is pervasive throughout 802.11 standards.) Note: If a wireless device such as an AP is configured for WPA2 and WPA for backward compatibility, then both the RSN and WPA information elements appear in Beacon management frames. Wireless frames are discussed in greater depth in the Certified Wireless Analysis Professional (CWAP®) course and study guide. The Beacon management frame, which allows for the passive scanning process by wireless clients, includes the following basic information of potential interest to attackers: Capability Information—This includes information related to operational modes, whether it is a BSS or IBSS and other capabilities. SSID—This is the name of the BSS/ESS. Supported Rates—This is the list of data rates supported based on configuration and it is further expanded by the Extended Supported Rates field. RSN-IE—This shows the configured security capabilities of the network from a robust security perspective. Active WLAN Discovery Active scanning is another method of WLAN discovery, and uses both a Probe Request management frame (sent by client devices) and a Probe Response management frame (sent by the AP) in the discovery process. Wireless client network adapters scan all RF
channels they support, which may include the 2.4 GHz band and the 5 GHz band (depending on model), in an effort to quickly locate WLANs that are available. The Probe Request is either aimed at a specific SSID or is very commonly used to find all SSIDs within radio range. When looking for any available network, the destination address (DA) is a broadcast address. All APs (infrastructure) or client devices (ad-hoc) on that RF channel that hear the Probe Request answers with a Probe Response frame. It is important to understand what information is broadcast in the Probe Request and Probe Response frames, and the differences between the two. Like Beacon management frames, the Probe Request and Response frames each contain a frame body with fixed fields and information elements. Though there are commonalities, the contents of the frame body are different for both of these management frames. Some of the information contained with Probe Request frames is the Service Set Identifier (SSID), supported basic data rates, and extended supported rates. This frame contains limited information compared to the Beacon management frame. The 802.11 standard requires that all devices (such as an AP in infrastructure mode or clients in an IBSS) that hear a Probe Request frame must answer with a Probe Response frame. The Probe Response frame contains much of the same information as the Beacon management frame, which identifies the specific capabilities of the service set. In addition to the SSID and supported data rates, the Probe Response frame also contains security-related information such as WPA and RSN information elements. The Probe Response frame is a Directed management frame and is sent to the MAC address of the device that sent the request.
■ Figure 2-1: The Active Scanning Process The Probe Request frame the client transmits may contain a specific SSID value, which identifies only the networks it associates to, or
■ a “Broadcast SSID” as a wildcard (blank) SSID, allowing the device to connect to any wireless network that responds. What determines whether a client only talks to a specific SSID or is interested in any available SSID? The way the client device is configured makes that determination. For example, the typical off-the-shelf configuration for wireless client devices’ Probe Requests is to transmit the wildcard/any SSID, but a locked-down laptop in a corporate wireless environment might only allow for a specific SSID. More on this follows later in the chapter. Discovery Hardware In order to connect to a wireless AP, a client device with a wireless network adapter and client software is required. The discovery process is part of the normal procedure of connecting to a wireless network, so nearly any wireless device can be used as discovery hardware. Discovery hardware detects and connects to WLANs legitimately, or seeks out unprotected wireless networks and gains uninvited access to the resources of the network that are located behind the AP. Unauthorized intruders may prefer to use lightweight, unobtrusive equipment to perform discovery and exploitation of unprotected WLANs. Equipment such as laptops and tablet PCs make for powerful exploitation platforms, but the smaller size and convenience of handheld devices may be preferred when it comes to wireless attacks. With the proliferation of high-end smartphones and small computers such as the Raspberry Pi, wireless users, IT staff, and attackers are all enjoying a range of very interesting client hardware options. Wireless support staff may use common client devices in tracking down wireless rogues, or they may use add-on hardware and/or utilities that provide Spectrum Analyzer or Packet Analysis functionality to help detect signals that should not be present in their environments. Exam Moment: When using a spectrum analyzer to locate rogue devices based on signal strength as an indicator of proximity, look at the amplitude of the energy in the FFT view. By contrast, when using a protocol analyzer to locate rogue devices, use the signal strength value in frames from the target devices. Similar information is being shown, but the spectrum analyzer works at Layer 1 while the protocol analyzer, in this case, is working at Layer 2. All discovery devices require a wireless client adapter, an antenna, and discovery software. While most modern off-the-shelf client devices have built-in adapters and antennas, there is more than meets the eye in this space. There are many variations on the radio cards and antennas that are available, and custom configurations can offer extended range and sensitivity at surprisingly far distances and at surprisingly low prices—an advantage to the unauthorized intruder. A high-gain antenna connected to the right wireless client adapter can significantly increase the operating range of wireless
intruders. Wardriving is the term used to describe the act of performing a mass WLAN discovery activity while logging the discovered AP location information to a file for later analysis. The name wardriving is taken from the Matthew Broderick movie WarGames in which an automated software application was used to scan for open telephone modem connections—“wardialing.” Wardriving is the act of performing a WLAN discovery while driving through a business park or residential area. Wardriving is often conducted in a surreptitious manner and is usually considered to be an illicit activity. However, the legality of wardriving in the US is not clearly defined, and there has never been a criminal conviction. Most of those who fear wardriving are under the impression that the perpetrators are in the act of accessing the wireless networks they find (piggybacking), but the nature of most wireless network scanning applications, such as inSSIDer and Kismet, does not allow this. These applications take over control of the wireless network station adapter and do not allow them to associate to the discovered APs at the same time the discovery process is working. So wardriving can be construed primarily as a data gathering activity. Keep in mind that some client devices can use multiple adapters simultaneously to monitor and to connect. And even though “wardriving” implies a vehicle is involved, the same data gathering can be done while walking, cycling, or even from a boat. The use of a Global Positioning System (GPS) device connected to a discovery PC can augment the effectiveness of wardriving. GPS greatly increases the effectiveness of location charting software by assigning a latitude and longitude position to each AP in the discovery listing. The GPS unit usually connects via USB, and is pivotal in automating location recording when covering a large area or while operating in unfamiliar locations. While this positioning information only indicates where the GPS receiver was located when it received each AP’s signal, it can still be a very useful tool for locating nearby networks. Additional software can be used to take the raw discovery location logs and convert them into graphical map representations.
Figure 2-2: Spectrum Analyzer A custom-built Spectrum Analyzer can be used as a protocol analyzer. This example is based on a Dell Windows 8 tablet with an external USB adapter. Wireless network scanning applications that can be used for wardriving may operate in either active mode or in RF Monitor mode. Active mode applications such as the original NetStumbler issued probe requests to nearby listening APs using the standardsmandated broadcast (wildcard) SSID. Any APs that are not explicitly restrained from answering these probes respond with a matching Probe Response that contains—among other critical pieces of information—the current SSID of the answering AP. Listen-only RF Monitor mode applications such as the Linux-based Kismet listen quietly for various types of management messages such as authentication and association exchanges, which contain the SSIDs of the nearby networks. Active mode applications may be effective at gathering discovery information from devices that have been tailored with rudimentary security mechanisms such as SSID hiding. Discovery Software In addition to wireless cards and antennas, discovery stations require software in order
■ ■ ■ to locate and connect to nearby APs. This software is typically called a client utility, or a client. Some computer operating systems include only basic wireless connectivity support from within the operating system itself, with few options beyond client credentials and basic wireless profile settings. More features tend to come with the wireless adapter’s manufacturer utilities that usually accompany new Wi-Fi adapters. The Intel ProSet utilities are a long-running example. A growing number of apps can be installed on some mobile devices, providing more features than those that are builtinto the mobile operating system. One multi-OS example of these apps is inSSIDer, which is a popular Wi-Fi discovery application. It is a favorite especially among Android users in the Wi-Fi support space, and brings functionality to Wi-Fi devices that the operating system itself cannot provide. Note: If you are a Mac OS X user, you will find excellent tools from Adrian Granados in this wireless discovery category. He offers WiFi Explorer, an inSSIDer like tool, and AirTool for simplification of wireless capture with Wireshark. More information can be found here: adriangranados.com/apps. Specialized client applications may be used to perform wireless network discovery, site surveys, security auditing, wireless intrusion detection and mitigation, spectrum analysis, protocol analysis, and endpoint security. Linux is often the operating system of choice for wireless hackers, as it is typically the easiest to develop applications for. At the same time, every modern OS has some form of wireless utility that can be used for legitimate support or nefarious purposes. Discovery software may fit into the category of online databases that are populated with information provided by the hacker community via web sites. Frequently, the information gathered during a wardrive is published to a publicly viewable, online repository. Several such databases exist, but they have varying degrees of accuracy and up-to-datedness. When performing an initial security audit in an organization that has a pre-existing WLAN installation, it may be a good practice to check the online databases to see if the organization’s APs are currently listed there, and what vulnerabilities the hacker community claims are in play for those APs. The following are popular public-access Wi-Fi databases: openBmap—openBmap.org Skyhook—www.skyhookwireless.com/coverage-map Wigle—www.wigle.net
Weakest Link The overall security of any network is only as strong as the weakest link, and this certainly includes wireless networks. For example, let us say that you have 50 devices that are connected to the wireless network, and 49 devices use the strongest security available (WPA2—CCMP/AES) while one device uses WEP. The security of the entire network is assumed to be diminished to WEP because that is the lowest level of security that is in place on the network. MAC address filtering is a popular control mechanism whose security value is frequently overestimated. Though MAC filters have their place in networking, relying on them for wireless network security is not recommended, as we will cover later in the chapter. Another example of weak or mistaken security is when a networks SSID is hidden in an effort to secure the network. In reality, hiding the SSID does not offer any wireless security whatsoever. Some choose to hide the SSID for various reasons, but do not consider this as a security strategy. SSID hiding is covered in more detail in the next section. Wireless networks have challenges from both the troubleshooting and security perspectives that you may not see in a wired network infrastructure. These challenges exist because the communication medium is RF in free space, which, as we have established in Chapter 1, is an unbounded medium. Taking this into consideration is critical when it comes to understanding and implementing wireless network security. Figure 2-3: Weak Links
■ ■ ■ ■ At the same time, when it comes to security concerns, 802.11 networks are not completely different than wired networks. It is worth mentioning again that wireless networks extend the wired network, so there are common elements in play and threat factors to consider regardless of how network clients actually connect for access. Some of the attacks that may be common with both wired and wireless networks include, but are not limited to: Denial of Service (DoS) attacks Phishing attacks Protocol weaknesses Configuration error exploits If this were an Ethernet security course, all of these would still be talked about. The particulars would be different, of course, but the overarching concerns pervade wired and wireless. Here we look at the wireless-specific characteristics of each of these attacks. Common DoS attacks can exist at both the Physical layer and the Data Link layer. For Wi-Fi, RF jamming is the most obvious Layer 1 DoS. Other DoS attacks are due to exploits that have been discovered in the 802.11 protocol itself (MAC) at Layer 2. You will learn more about DoS attacks later in this chapter. Phishing is a method used by attackers as a way to gather information that is valuable in some way to the person that is performing the phishing attack. This information can be of a sensitive nature and usually includes login credentials (usernames and passwords) and other information that may provide access to financial institutions, credit card accounts, and other sensitive resources. Various methods are used in phishing attacks, including email messages, web sites, telephone calls, and other electronic communications. In the very basic sense, the 802.11 protocol was designed in a way that allows devices to politely share the wireless medium. Great care was taken when developing 802.11 in allowing each wireless device to have a turn in a protocol where only one STA (station) at a time can communicate, and there are many management and control frames required to keep it all orderly and precisely timed. Unfortunately, this comes with its share of security concerns due to exploits that have been discovered over the years. Some 802.11 management frames such as Deauthentication and Disassociation, which were designed for basic protocol operation, can be exploited with malicious intent. This includes hijacking authorized user devices and denial of service attacks. We will discuss how the concept of Management Frame Protection (MFP) can somewhat help prevent against management frame attacks later. Incorrect configuration of infrastructure devices causes other potential security concerns. Though misconfiguration is more common in home and small business networks because the individual installing the device may lack the knowledge or skills required to correctly configure the devices, the stakes get much higher in business network settings. At home and in small business settings, simply following directions
■ ■ ■ ■ ■ provided by the manufacturer of the infrastructure devices may be enough to provide a basic security posture. In some cases, it may be best to involve a professional to lock the devices down to the strongest possible configurations and to relax settings as needed and justified based on the use of the network. The configuration of infrastructure devices used with enterprise networks are driven by corporate security policy, which helps to lessen the possibility of misconfiguration. Policy alone cannot do much good if it is not put into practice by skilled administrators. Note: Creating and using a checklist is a great way to ensure that all bases are covered when it comes to securing network devices. A checklist helps to lessen the possibility of misconfigurations. The book, The Checklist Manifesto—How To Get Things Right, showed clearly that checklists work in projects large and small. Many high-importance tasks from military operations to flying an aircraft to building a house rely on checklists, which can be thought of as mini project-plans. SSID Hiding Recall from CWNA that an SSID is more than just a network name. The Service Set Identifier (SSID) is used for wireless network identification and segmentation, and allows the naming of service sets much like Microsoft Windows uses workgroups to group computers and other devices. Other characteristics include: The SSID is included within several different management frames. Legacy security tactics suggest hiding the SSID from intruders, although doing so provides no security. Current security tactics adequately protect WLANs, making SSID hiding as unnecessary as it is flawed as a security mechanism. SSID hiding (or sometimes called “cloaking”) is a technique implemented by WLAN device manufacturers that removes the information found in the SSID information element from Beacon management frames. Depending on the implementation, SSID hiding may remove it from Probe Response frames sent from the AP. Hiding the SSID is intended to keep casual users from noticing a wireless network, but may be problematic for certain client devices, and does not offer any legitimate protection because many software utilities and all protocol analyzers can find the SSID in 802.11 management frames other than Beacons.
There simply is no hiding; the best that it does is reduce the obviousness of the SSID. Note: The 802.11-2012 standard allows STAs to operate simultaneously with pre-RSNA and RSNA algorithms, but RSNA forbids the use of Shared Key 802.11 authentication, which Pre-RSNA allows. For RSNA, only the Open System Authentication mechanism can be used. WARNING: Disabling the broadcasting of the SSID within the Beacon frames is not an effective deterrent and adds no value to WLAN security. Some organizations hide the SSID on all WLAN profiles except for the profile that is used for guest access. This decision is not for security purposes but rather to prevent users that do not belong to the organization from attempting to connect to wireless networks in which they do not have the proper credentials. This in turn may help lessen unnecessary technical support calls. Although this is not a recommended security procedure, it is a configuration option that may be used in some installations for management purposes. Consider the explanation provided by one SOHO AP manufacturer: “It is possible to make your wireless network nearly invisible. By turning off the broadcast of the SSID, your network SSID will not appear in a site survey. A site survey is a feature of many wireless network adapters on the market today. It scans the “air” for any available network and allows the computer to select the network from the site survey. Turning off the broadcast of the SSID helps increase security.” This type of messaging, though well meaning, can mislead inexperienced users to enable SSID hiding as a standalone security mechanism. Thankfully, most manufacturers have advanced past this sort of poor advice in their product literature. To be clear, SSID hiding should not be considered a security solution at all. In some scenarios, it may play the role of assisting with management or usability of a given WLAN environment, but simply hiding SSIDs is never a security solution. It can help shape usability from the perspective that, if SSID broadcasting is disabled, normal users do not see WLANs to which they should not connect. Users who need to connect to hidden WLANs can be provided with the configuration profiles. Free utilities combined with low skill show hidden SSIDs. The point is that hiding the SSID provides management or usability, but in no way exemplifies WLAN security. SSID Field in Other Frames
■ ■ ■ ■ In addition to Beacon management frames, the SSID information is included in several other 802.11 management frames, which are: Probe Request Probe Response Association Request Reassociation Request For protocol functional purposes, the Association Request and Reassociation Request frames always contain the SSID. The SSID cannot be removed from these frames or the 802.11 protocol would cease to function. Hiding the SSID only removes it from the Beacon management frame. The information element in this frame is still intact; however, the SSID value is removed from the frame itself. Authentication Request, Authentication Response, and Association Response frames do not contain the SSID Information Element. Many current discovery software applications and most protocol analyzers are able to identify the SSID even if it is hidden in Beacon management frames. Once a user has associated to an AP, a discovery utility can gather the SSID from other management frames. An intruder could wait for a new association to occur or actively force users to deauthenticate and then quietly learn the SSID when the devices reassociate to an AP. So you can see that even if the SSID is not broadcast in the Beacon frame, most enterprisequality packet analyzer tools (and some of the free ones) have the capability to learn what the SSID is from the other management frames and display the SSID value. Broadcast SSID in Probes The 802.11-2012 standard defines a Broadcast SSID as a wildcard (blank) SSID. 802.11-2012 requires APs to respond to all Probe Requests that contain either a matching SSID or a blank SSID. Many manufacturers provide the configuration option to prevent APs from responding to Probe Request frames, even though 802.11-2012 still requires it. Curiously, the Wi-Fi Alliance does not deny certification to manufacturers who disable Broadcast SSID responses. From IEEE 802.11-2012: 8.2.4.3.4 BSSID field The value of all 1s is used to indicate the wildcard BSSID. The wildcard value is not used in the BSSID field except where explicitly permitted in this standard. 10.1.4.3.2 Sending a probe response STAs, subject to criteria below, receiving Probe Request frames shall respond with a
a) b) c) 1) 2) probe response only if The Address 1 field in the probe request is the broadcast address or the specific MAC address of the STA, and either item b) or item c) below. The STA is a mesh STA and the Mesh ID in the probe request is the wildcard Mesh ID or the specific Mesh ID of the STA. The STA is not a mesh STA and The SSID in the probe request is the wildcard SSID, the SSID in the probe request is the specific SSID of the STA, or the specific SSID of the STA is included in the SSID List element, and The Address 3 field in the probe request is the wildcard BSSID or the BSSID of the STA. Probe Response frames shall be sent as directed frames to the address of the STA that generated the probe request. The SSID List element shall not be included in a Probe Request frame in an IBSS. MAC Address Filtering Although it should not be used to secure a wireless network, Media Access Control (MAC) filtering is considered by some to be an effective deterrent to prevent casual or unintentional system access to a wireless network. Again, before going any further, MAC address filtering should not be used as a stand-alone security solution in anything beyond a home network. Even then, there is no real reason to use MAC filtering any longer with the availability of WPA/WPA2-Personal in all consumer equipment today. Since 802.11 WLAN device technology operates at the Physical and Data Link layers of the OSI model, the MAC address is a big part of the wireless networking process. The MAC address, which is defined at the MAC sublayer of the Data Link layer (Layer 2), identifies the network interface by the use of a manufacturer-assigned unique physical address or, potentially, a software-assigned address. MAC addresses on wireless devices are sometimes (incorrectly) called Ethernet addresses. The purpose of MAC address filters is to allow or disallow access to the wireless network by restricting which MAC addresses can authenticate and associate to the network using 802.11 technology. Procedurally, MAC addresses are manually entered into the wireless AP or are entered by instructing the AP to add all currently connected MAC addresses, which identify the specific devices that are allowed or denied access to the wireless network. This is called a white list. When a black list is used, all MAC addresses are allowed except those in the list. MAC address filters can be reasonably enabled for small numbers of client devices, but for large numbers of devices, it can be tedious and prone to entry mistakes. If MAC address filters are the only deterrent, intruders can easily discover the MAC addresses that are permitted and re-address their own station adapters with an allowed MAC
address to gain access—software-assigned addressing. This process is also called spoofing, or, specifically, MAC spoofing. Therefore, MAC filtering should not be used as a WLAN security solution. Next, we will discuss how easy it is to carry out MAC spoofing. Finding Valid MAC Addresses MAC address-based access control lists (ACLs) can provide a degree of admission control for client devices, but discovering which MAC addresses are authorized on a system is easy when using a wireless scanner or protocol analyzer software program. Any device that is successfully passing data traffic to an AP on the wireless network is considered an authorized device and that MAC address can be used for connectivity to the wireless network. MAC addresses can be easily spoofed using operating system techniques or third-party freeware utilities. Keep in mind that the MAC addresses cannot be encrypted as specified in the 802.11 standard. This physical identifier (MAC address) is broadcast in plain clear text and is shown in protocol analyzer frame decodes, among other places. Therefore, it is very easy for an intruder or anyone with a limited amount of technical knowledge and the proper software tools to identify authorized-wireless networking devices from a simple scan of the unbounded RF medium used by the WLAN. One analogy to consider is the physical address of a home or building on a street. Each building is marked with a unique physical address to provide an identity for the building, for example, 123 Main Street. The street name is comparable to the SSID of the wireless network since all connected devices share the same SSID, and 123 would be comparable to the MAC address of a connected device, which is the unique identifier. Anyone who wanted to visit this building could easily identify it from the marking of the numbers 123. If these identifying addresses from all of the buildings on the street were missing, encrypted or scrambled in any way, there would be no way for a visitor to find the correct building. But since they are not, the buildings can be found easily. On WLANs, the same is true. The addresses are not encrypted or scrambled and so they can be located easily.
■ ■ ■ ■ ■ Figure 2-4: Protocol Capture Showing MAC Addresses MAC-Address Spoofing MAC-address spoofing is the process of altering a MAC address in a computer so that it matches a valid MAC address on the network. Each client device is given its MAC address at the time of manufacture, and you may sometimes hear of a MAC address referred to as burned-in address (BIA). This terminology might imply that MAC addresses are permanently written in some unalterable chip within the network adapter, but this is not true. The reality is that MAC address values can be re-written in software, so the network sees a different value than what the factory assigned. Several MAC spoofing utilities are freely available, including SMAC MAC Makeup A-MAC Address Nmap (“Network Mapper”) Systems Lizard MAC addresses may be reset with simple tools that are available by default on most computer OSes.
■ ■ 1) 2) 3) 4) 5) 6) Linux: ifconfig eth0 hw ether 03:a0:04:d3:00:11 FreeBSD: ifconfig bge0 link 03:a0:04:d3:00:11 MS Windows: On Microsoft Windows systems, the MAC address is stored in a registry key. The location of that key varies from one MS Windows version to the next, but Internet searches help you find this value so you can edit it yourself. There are numerous free utilities you can download to make this change. For some NICs, you can modify the MAC address in the Device Manager using the following procedures: Open the Device Manager. Press Windows Key + S. Type Device Manager and press Enter to select it in the results list. Find the WLAN NIC in the Network Adapters node and double-click on it to open the Properties dialog. On the Advanced tab, look for a property called Network Address, MAC Address, Locally Administered Address, or something similar. Change it there. Note: The MAC spoofing process does not always work on Windows systems, even when the feature is apparently available. The wireless drivers for some adapters just do not accommodate the capability. MAC-address spoofing is an effective way to bypass other MAC-based security or control mechanisms, such as those used for paid access to hotspots. Some service providers log allowed devices by MAC address. Those wishing to bypass this type of filter on a paid network can spoof their MAC address with an authorized device’s MAC address. This type of activity may be illegal along the lines of “theft of services” and, as with other capabilities you may learn in common with hackers, is not recommended. Hotspot providers should be aware of the limitations of their system. Open System Authentication 802.11 Open System authentication must be performed every time a device connects to a wireless network or anytime it transitions from one AP to another. This process is a fundamental step in the basic operation of 802.11 wireless connectivity. Without performing this task, a wireless device would not be able to associate to the AP. From IEEE 802.11-2012: 11.2.3.2 Open System authentication Open System authentication is a null authentication algorithm. Any STA
requesting Open System authentication may be authenticated if dot 11 Authentication Algorithm at the recipient STA is set to Open System authentication. A STA may decline to authenticate with another requesting STA. Open System authentication is the default authentication algorithm for pre-RSNA equipment. Open System authentication utilizes a two-message authentication transaction sequence. The first message asserts identity and requests authentication. The second message returns the authentication result. If the result is ‘successful,’ the STAs shall be declared mutually authenticated. In the description in 11.2.3.2.2 and 11.2.3.2.3, the STA initiating the authentication exchange is referred to as the requester, and the STA to which the initial frame in the exchange is addressed is referred to as the responder. The specific items in each of the messages described in the following subclauses are defined in 8.3.3.11, Table 8-28, and Table 8-29. Based on this description, it should be obvious that Open System authentication alone provides no security whatsoever. Despite including the word authentication, there really is not any in this case, as any and every device (STA) is welcome to communicate with the AP. Though “a STA may decline to authenticate with another requesting STA,” it is pretty much a given that devices of like technical capabilities will authenticate with each other. Despite the lack of security, it is important to know that Open System authentication is used as part of the workflow by all strong enterprise security solutions today. For example, when using WPA2-Enterprise, Open System authentication is performed first and then the EAP authentication occurs, followed by the 4-way handshake, which is used to generate the unicast encryption keys used between a single STA and the AP. You will learn about these concepts in greater detail later in this book, but it is important to keep this fact in mind. Wired Equivalent Privacy (WEP) WEP should never be used today. It really is that simple. If you desire confidentiality and integrity for your data, you will not use WEP. All hardware released for the past several years will support at least WPA-Personal, which is an order of magnitude stronger in security than WEP. The weaknesses of WEP are briefly reviewed in this section. To better understand why currently accepted WPA variants are so much stronger, it is worth digging into the flaws of WEP just a bit more. In other words, we
■ ■ ■ ■ study WEP as CWSPs to learn from the past. From IEEE 802.11-2012: 11.2.2.1 WEP overview WEP-40 was defined as a means of protecting (using a 40-bit key) the confidentiality of data exchanged among authorized users of a WLAN from casual eavesdropping. Implementation of WEP is optional. The same algorithms have been widely used with a 104-bit key instead of a 40-bit key in fielded implementations; this is called WEP104. The WEP cryptographic encapsulation and decapsulation mechanics are the same whether a 40-bit or a 104-bit key is used. Therefore, subsequently, WEP can refer to either WEP-40 or WEP-104. The characteristics of WEP include: RC4 Stream Cipher Static Pre-shared Keys Manual Key Management Weak Implementation WEP is unsafe for use under any circumstances or at either key size (40-bit or 104-bit) because it suffers from multiple weaknesses. Your top priority should be to move to a more secure solution and ensure that no wireless networks in your care ever use WEP. WEP Weaknesses WEP required the use of static keys. The selected key would have to be manually entered on all devices that were part of the same service set. In most cases, once the key was determined and entered on all of the devices it was never changed. In theory changing the key periodically, or at a specific regular interval, would help to provide a more secure network. The important words here are “in theory.” You learned earlier that the 802.11 standard defined a 40-bit WEP key. Also, a 104-bit key could be used. 40-bit and 104-bit is the actual key length. In addition to the key, WEP also used a 24-bit initialization vector (IV) as part of the encryption and decryption process. Therefore, with the addition of the IV, the key length would be 64- bit or 128-bit. The key can be made up of either hexadecimal or ASCII characters. The length for each is shown in the following table: 64-bit 13 5 128-bit 26 10
■ ■ o o ■ ■ Table 2.1: WEP Key Lengths The 24-bit IV transmitted across the wireless medium in clear text makes the WEP key vulnerable to intrusion. This reality was a primary flaw in the WEP implementation. RC4 is not necessarily a bad encryption algorithm, but the keys must be implemented in a way to avoid reuse in any reasonable window of time. It was not implemented in this way, and so WEP was vulnerable to key reuse attacks. Further explanation follows. Two primary problems exist with how this IV mechanism was implemented. First, the 24-bit IV was transmitted across the air in clear text or plaintext. Second the 24-bit IV was used as encryption seed in conjunction with the WEP key and the RC4 stream cipher to create a key stream, and finally the encrypted cipher text message. This was accomplished through the use of an exclusive OR process with the Integrity Check Value (ICV) providing an encrypted frame body for the wireless data frame. Though this process resulted in basic encryption of data, these two items created a bad combination. If someone was to capture enough of the encrypted frames, the WEP key could be found using any number of key cracking programs. In addition to the weak IV scheme, the WEP process also suffered from weak integrity protection or ICV. The WEP ICV was computed using the CRC-32 and calculated over the plaintext MAC Protocol Data Unit (MPDU) field. This made the ICV vulnerable to what is known as a bit flip attack, which gave someone the capability to capture frames and flip bits in the data payload of the frame. Then the ICV would be modified and the frame would be retransmitted with the modified data payload. Unbeknownst to the receiver, the data was modified in transit, creating an additional vulnerability and losing integrity—the very purpose of the ICV. In the early days of wireless, cracking WEP became a bit of a sport for the hacker community, as their obsession with Wi-Fi increased with the popularity of wireless networking. Since the advent of the 802.11n standard, no APs going forward should even support WEP as an option per the standard. This fact does not always play out in implementations, but it is the practice all vendors should follow. You do not have to memorize the explicit details covered here in the examination of WEP’s weaknesses, but it is good to know why more robust encryption options were ultimately needed, and appreciate the evolution of this important component of wireless security. WEP is no longer a primary testing area on the CWSP exam because we should have learned the lessons from it long ago. It is addressed here only to discourage its use in any modern WLAN implementation.
Shared Key Authentication 802.11 Shared Key Authentication is a deprecated authentication mechanism. Unlike Open System authentication which used WEP only for data encryption, Shared Key authentication required the use of WEP for both 802.11 authentication and for data encryption. While it may seem that adding an authentication exchange would enhance a network’s security, Shared Key authentication may actually accelerate the exposure of a static WEP key. Like with other early security features, the intentions were not realized with Shared Key Authentication. Figure 2-5: Shared Key Authentication Process Notice that in the image, Shared Key authentication uses four authentication management frames that are exchanged between two stations, in this case a client station and an AP. Recall that Open System authentication only uses two authentication management frames. In order for Shared Key authentication to function, the same WEP key must also be installed on all stations that are part of the wireless service set. In this example, the first frame is sent from the client station to the wireless AP, which initiates the Shared Key authentication process. The AP responds to the requesting client station with a clear text or plaintext challenge message. This challenge text can be seen by anyone monitoring the wireless medium with eavesdropping software (protocol analyzers and dedicated cracking tools such as those in Kali Linux). The third frame is sent back to the AP from the client station and now has an encrypted message, which was encrypted using the WEP key assigned to the client station. Keep in mind that this is the same key that is installed on all devices that are part of the same service set,
■ ■ ■ including the AP. The AP validates the encrypted message and respond to the client device with the fourth frame showing a failed or successful authentication. Once this process has successfully completed, the 802.11 association process ensues and data communications can occur. Shared Key Authentication Uses WEP Let us break down what is wrong with Shared Key authentication a little deeper. Since Shared Key authentication requires the use of WEP, it introduces additional methods that may be used by an eavesdropping intruder to recover the static encryption key. This is because all that needs to be captured by an intruder are the four authentication frames as seen in the graphic. With the proper tools, such as a wireless protocol analyzer and key cracking software program, the WEP key can be discovered very quickly without the need to capture a single data frame that contains the IV. This vulnerability is part of the 802.11 Shared Key authentication process and allows for the easy discovery of the WEP key without the aid of any data frames that contain the plaintext 24-bit IV. Once the WEP encryption key is discovered, an intruder can use it to join the wireless service set by configuring the client device as an authorized station in possession of the WEP key. It also allows for decryption of encrypted frames that traverse the wireless medium in protocol analyzers that support decryption of data. From IEEE 802.11-2012: 11.2.3.3 Shared Key authentication Shared Key authentication seeks to authenticate STAs as either a member of those who know a shared secret key or a member of those who do not. Shared Key authentication can be used if and only if WEP has been selected and shall not be used otherwise. This mechanism uses a shared key delivered to participating STAs via a secure channel that is independent of IEEE Std 802.11. This shared key is set in a write-only MIB attribute with the intent to keep the key value internal to the STA. The following list summarizes the weaknesses of 802.11 Shared Key authentication: Requires the use of WEP—WEP is required and is used for both station authentication and data encryption. Uses a clear text or plaintext challenge message—This challenge text can easily be discovered by someone that is monitoring the wireless medium, which will result in discovery of the WEP key. Results in a weak authentication mechanism—Software tools are readily available for many operating systems, and are fairly easy to use, allowing for the Shared Key authentication process to be easily compromised.
Thankfully, even most on-the-market, new, consumer-grade wireless routers today do not offer the user the ability to implement WEP or Shared Key authentication. In all but the most ridiculous of cases, the only options are Open, WPA, or WPA2. In most of the newest equipment, the only options are now Open or WPA2 (or possibly WPS). CWSP still requires a working familiarity with the WEP and Shared Key authentication’s flaws, as security professionals should understand not just that they are weak methods, but also why they are weak. However, CWSP no longer required detailed knowledge of the inner-workings of WEP or Shared Key authentication. EAP-MD5 You learned in Chapter 1 that 802.1X, which defines port based access control, helps to provide a secure, scalable, and manageable security solution for enterprise wireless networks. It is important to note that 802.1X is a framework that works in conjunction with an appropriate EAP method to allow for user-based security. Many EAP variants can be used to secure WLAN communications, and you saw in Chapter 1 that the Wi-Fi Alliance does interoperability testing for eight EAP types. This chapter explores some of the EAP types that are vulnerable to intrusion and that should not be used to secure a wireless network. EAP-MD5 is one example of a weak EAP type. It was developed for use on the wired network to test basic connectivity between EAP participants. It does not provide dynamic encryption key management, mutual authentication (client trusts the authentication server, and the server trusts the individual clients), or any operational characteristic that would provide security for a wireless network. Because it creates numerous vulnerabilities, EAP-MD5 should never be used to secure an 802.11 network. Proprietary LEAP Earlier in this chapter you learned about 802.11 Open System authentication, Shared Key authentication, and WEP. You saw that all of these methods are inadequate for providing secure wireless communications on an 802.11 network. At one point on the 802.11 timeline, the realization hit the wireless industry that early security methods were not sufficient (by a long shot) as the popularity of Wi-Fi exploded. There was an urgent need for methods that would provide stronger wireless security, or wireless networking would be stunted in where and how it could be used. Something had to be done! The answer to the security dilemma would eventually be addressed in the 802.11i amendment to the standard, which would provide enhanced strong wireless security mechanisms including CCMP/AES. However, in the early 2000 timeframe, the ratification of the 802.11i amendment was still some time away (it would not be ratified
until 2004). In the interim, attempts were made to provide alternative wireless security options, such as LEAP. Cisco systems developed its own EAP type known as Lightweight Extensible Authentication Protocol (LEAP). This proprietary EAP method was very popular because it provided secure wireless communications and was widely deployed with Cisco networks. Keep in mind that LEAP required the use of a Cisco infrastructure, which included Cisco client devices and wireless APs. One exception to this was the use of Cisco Compatible Extensions (CCX) technology. This enabled non-Cisco manufacturers to develop code that allowed their devices to use LEAP technology on the client device side. There have been several versions of CCX through the years, but nonCisco adoption has been far from universal. Figure 2-6: ASLEAP Capturing LEAP Information LEAP included a vulnerability in which the username of the person attempting to authenticate was passed in clear text across the wireless medium and did not use any tunneling mechanisms to secure the communications. Theoretically, this behavior made authentication traffic that was captured susceptible to offline dictionary attacks on weak passwords since it used a variant of the MSCHAPv2 hash for the exchange of client credentials. Joshua Wright, a long-time WLAN security expert, created a software program (named ASLEAP) that made this theory a reality. Note: In addition to developing wireless security tools, Joshua Wright has published a wealth of articles on Wi-Fi security and has taught classes on the topic. Heis very active in the wireless community and is one of those people that CWSPs would do well to follow as a
■ ■ ■ ■ ■ ■ resource for current WLAN security trends and concerns. After LEAP’s vulnerabilities were discovered and published, Cisco Systems introduced a more secure EAP type, called EAP-FAST, which served as a replacement to LEAP. EAP-FAST has also since been replaced in many deployments by newer non-Ciscospecific EAP types, such as PEAP, EAP-TLS, and EAP-TTLS. Eavesdropping By now, you likely realize that unencrypted wireless traffic is easily intercepted by any and all nearby users with a protocol analyzer. Any client device that can receive the WLAN traffic is able to collect information that traverses the wireless medium. Modern protocol analyzers make it easy to collect and inspect unencrypted traffic. These wireless protocol analyzers use a special network device driver that allow the wireless adapter to operate in promiscuous mode, which in turn makes the analyzer a passive device. The monitoring analyzer is then unnoticed by any intrusion prevention methods. Not all wireless adapters can be placed into monitor mode or promiscuous mode, but USB variants can be purchased specifically for the task of wireless eavesdropping in monitor mode. Protocol analyzer software vendors recommend and sell adapters for this purpose. Such software and hardware are intended for analysis of WLANs aimed at performance and functional improvements, such as those covered in the CWAP® certification, but they are often used by hackers. 802.11-based encryption obscures Layer 3-7 data from protocol analysis, and is the basic deterrent to eavesdropping. Using adequate mechanisms to encrypt WLAN traffic is imperative to ensure security and privacy. Unauthorized protocol analysis with protocol analyzer software is the most common form of eavesdropping, but its effectiveness varies with the security of the WLAN being monitored. Because of the passive methods used by wireless protocol analyzers, there is no way to detect or prevent this type of eavesdropping. The amount of information that can be gathered by eavesdropping on a WLAN with weak security is amazing, and what can be learned by passive listening is fairly shocking the first time you see network traffic exposed in this manner. Even with encrypted data payloads, you can learn significant information, such as: Supported data rates Allowed MAC addresses Security cipher suites and encryption algorithms used PHYs supported in the BSS MAC and PHY features supported The amount of data traversing the network
1) 2) 3) Though it is not the only method you can use, it is very easy to perform eavesdropping using the Kali Linux distribution and a compatible USB adapter. Kali can run in a virtual machine (VM) so that it need not even be your native OS. It comes with all the required tools for wireless eavesdropping preinstalled. The appendix to this text provides instructions for installing a Kali Linux VM using VirtualBox. It can be used in VMware Player—a free virtualization environment that can only run a single VM at a time. VirtualBox can run multiple VMs and, for this reason, it is the tool referenced in the appendix. However, here at CWNP, we have found that running Kali Linux in VMware Player typically results in better performance on the same machine. Assuming you have a compatible USB adapter, (the Hawking HD45U or Linksys AE3000 both work well for 802.11n three stream captures) connected to your computer and passed through to VMware Player or VirtualBox running Kali Linux. Use the following instructions to perform a capture on any channel you desire: In the Kali Linux VM, logon as a user you have created or as root (the default password is toor). On the desktop, click the Terminal icon to load a terminal (console) session. In the console, execute iwconfig to determine the WLAN adapter name, for example, wlan0 or wlan1 are common.
4) 5) 6) Turn on monitor mode by running airmon-ng start wlan#, while replacing # with the identifier of your adapter. Execute airodump-ng mon# --band g to look for SSIDs on 2.4 GHz or airodump-ng mon0# --band a to look for SSIDs on 5 GHz, while replacing # with the appropriate identifier for your monitor interface created by airmon-ng, for example mon0. Execute airmon-ng stop mon#, while replacing # with the appropriate identifier, for example airmon-ng stop mon0. You need to create a new monitor interface on the channel you want to scan.
7) 8) 9) 10) Execute airmon-ng start wlan# 1 to instantiate a monitor interface on channel 1 (change 1 to any other channel you desire, including 5 GHz channels), while changing the # as needed. Run Wireshark by executing wireshark from the console. Ignore any root errors, after all, you are performing wireless discovery. After you are in Wireshark, click the mon# interface and then click Start to begin capturing, while replacing # with the identifier of your monitor interface created with airmon-ng. Results: Depending on your adapter and its supported drivers, your results will vary. Excellent results have been achieved with the Hawking HD45U adapter, though this USB device is getting harder to acquire.
■ ■ ■ Figure 2-7: Capturing 802.11 Beacon Frames on Kali Linux If you are unfamiliar with Wireshark, this is a great time to get your feet wet with it as it is a favorite of wireless and Ethernet network engineers and support staff a powerful Multi-OS tool for showing packet and frame-based activity that frequently leads to solving network problems, and a favorite for hackers. “The packets never lie” is a popular saying among those skilled in protocol analysis and, as you get used to what Wireshark can tell you, you will understand why that expression is true. For more detailed information on protocol analysis (as well as spectrum analysis), see the CWAP Official Study Guide published by CertiTrek Publishing. Social Engineering
■ ■ Social engineering is a collection of methods used by intruders to gather information that may in turn facilitate the ability to circumvent an installed wireless security solution, and perhaps one of the easiest ways for someone to bypass even the best security solutions because it takes advantage of the human component in network environments. The people who use and support a network are often quite vulnerable to exploitation. Most individuals are trusting to a certain degree, so network users can be easily deceived by practiced intruders. Consider a simple example, the company help desk. The purpose of the company help desk is to assist users with technical problems. In many computer network installations, the help desk is commonly the first place a user turns when experiencing wireless network problems and seeking assistance. If not properly trained and aware of social engineering practices, the help desk personnel can be targets for potential intruders. Some tactics include calling the help desk and befriending the person that is assisting them in order for the intruder to get information such as WLAN passphrases. Another method used is when the intruder places a call into the help desk and requests a password reset for an authorized user account. The social engineering variations are many, such as various phishing methods, talking-the-talk with the right people, dumpster diving, and others.
■ ■ ■ ■ ■ Figure 2-8: Social Engineering Toolkit Bundled in Kali Linux A well-known hacker named Kevin Mitnick often addresses the vulnerability of social engineering. Many of his greatest network attacks occurred by exploiting this weak link in the security chain: “My message today is primarily the same... I usually go around speaking on the threat of the human element, particularly on social engineering.”—Kevin Mitnick The Social Engineering Toolkit, shown in the image on the preceding page, includes several of the following attack vectors: Spear-Phishing—send emails with attached file payloads. Website Attacks—utilize multiple web-based attacks to compromise site visitors. Infection Media Generator—create USB, CD, and DVD autorun modules with a Metasploit payload. Creating a Payload and Listener—set up a payload to provide re-entry to compromised systems. Mass Mail—send emails to massive numbers through a private mail server or a
■ ■ ■ ■ ■ ■ ■ junk Gmail account. Arduino Attacks— program Arduino hardware for attack purposes. Wireless AP—set up fake APs and captive portals to capture user information or infect user machines. QRCode Generator—generate QRCodes that can redirect people to attack sites. Powershell—take advantage of Powershell’s power in modern Windows systems to perform attacks. Third-Party— extend the features of the toolkit with several add-ons. This toolkit makes social engineering attacks easy, but the most powerful of these involve direct human interaction. For this, no software can give an attacker the ability to do what some gifted and charismatic people are able to do. Whether you claim to be the CTO (or his assistant) when you demand a password over the phone, or pose as a copier repair person to plant a rogue AP, the human interactions associated with social engineering can do the most damage. Social engineering should be addressed in the corporate security policy for any type of computer network, including wireless networks. Training of all company personnel in awareness of social engineering should be explicitly defined and made mandatory. Training helps to explain and identify the techniques and methods used in social engineering attacks, and provide company-wide awareness as the primary countermeasure to such attacks. RF DoS Just as the name implies, a Denial of Service (DoS) attack prevents access to a service. Regarding wireless networking, one such attack is a RF DoS. This occurs when the radio frequency that is used for intended communications is impacted by external RF sources, preventing wireless communication from occurring at Layer 1. This type of attack may fall under one of two different categories, intentional or unintentional. With standards-based wireless networking, the 802.11 PHYs specify raw RF Energy Detect (ED) thresholds, which causes the STA to defer transmissions on a given RF channel. If alternative RF channels with available APs are not available because the jamming spreads across multiple channels or because there are no other APs, a complete network outage may occur as a result of excess RF noise. This is known as is a PHY DoS. The unintentional RF DoS is the first category of attack. This denial of service is usually caused by devices that are operating in the same radio frequency space as a wireless
■ ■ ■ ■ ■ ■ ■ ■ network. The RF could be modulated or unmodulated radio frequency information, which means it may or may not understand or implement 802.11 wireless network communications. An unintentional RF DoS attack could be caused by various devices that use radio frequency including: Microwave ovens Cordless telephones Baby monitors Wireless cameras 802.11 wireless networks The intentional RF DoS is the second category of attack.. This type of denial of service attack, which is typically classified as an RF jamming attack, is used to interrupt valid, active RF communications with malicious intent. Intentional jamming can have serious implications on a wireless network, as all RF communications in the range of the jamming device can be stopped. The attack could be used by an intruder to force an authorized wireless network device to reauthenticate and roam to a rogue AP, or to shut down an RF channel or channels—effectively shutting down a wireless network. Such an attack can be performed by devices such as: RF Jammer, narrowband or wideband RF signal generator 802.11 wireless adapters using specialized software programs The best way to protect against an intentional RF DoS is to realize that it is happening and to employ proper physical security techniques. The best tool to identify this type of attack is an RF spectrum analyzer that covers the correct frequency spectrum used, or a wireless intrusion prevention system (WIPS). While such solutions can detect the attack, they cannot stop it, if it is wideband. Intervention by an engineer, who locates and stops the transmission, is required. A narrowband attack may be mitigated through solutions like Radio Resource Management (RRM), which moves an AP to an alternate channel. EXAM MOMENT: Intentional jamming is typically performed on 2.4 GHz spectrum as jammers are easily acquired (though absolutely illegal). If an intentional jamming attack were to occur on a modern WLAN that uses dual-band APs, chances are that only one band or the other would be impacted because any jamming tool likely to be used would not impact both 2.4 GHz and 5 GHz. A jamming attack can be extremely disruptive, but the range of jamming tools is limited. The same jamming that could lay waste to an SMB Wi-Fi environment would likely only impact a part of a larger WLAN, as even jamming signals are subject to free space path loss. Layer 2 (MAC) DoS
1. 2. 3. 4. 5. As stated before, 802.11 wireless networks operate at both the Physical layer and the MAC sublayer of the Data Link layer in the OSI model. In addition to the PHY DoS attacks mentioned, 802.11 wireless networks are also vulnerable to MAC sublayer attacks. This is a result of the way the 802.11 protocol functions, with built-in vulnerabilities due to the nature of operation subject to exploitation. Several different MAC sublayer DoS attacks are documented that can be used for wireless network exploitation. Due to the half-duplex shared-media nature of WLANs, 802.11 protocols specify behaviors that require Wi-Fi devices to play nice. These same protocols, specified for the good of the network, are also used to exploit the same network with a DoS attack. Common Layer 2 wireless MAC sublayer DoS attacks include using Deauthentication and Disassociation management frames to subvert normal client connectivity. Figure 2-9: A Deauth DoS Attack With common tools like protocol analyzers and a wireless intrusion prevention system (WIPS), Layer 2 DoS attacks can be identified and, in many cases, mitigated. Unlike the PHY DoS attacks, changes can be made to circumvent such attacks more easily. Use the following procedure to perform a deauth DoS using Kali Linux with a compatible adapter: Launch the Kali Linux VM (the appendix provides instructions for creating the VM). Logon as root with a password of toor. Launch a Terminal. Determine the proper WLAN adapter identifier based on the instructions provided earlier. Execute airmon-ng start wlan0, replacing wlan0 with the proper identifier for your WLAN adapter.
6. 7. 8. 9. Execute airodump-ng mon0 --band a, replacing mon0 with the proper identifier of your monitor interface and --band a with --band g if you prefer to look for attack targets in 2.4 GHz instead of 5 GHz. Note the BSSID of the AP you wish to target. This is the MAC address of the target AP. You can highlight it and then right-click and select COPY to make things easier. Press CTRL+C to end the airodump-ng scan. Execute aireplay-ng -0 0 –a B4:75:0E:59:39:DE –c mon0, replacing B4:75:0E:59:39:DE with your target MAC address and mon0 with the identifier of your monitor mode interface. Peer-to-Peer Peer-to-peer network communications are when one wireless client device connects to another wireless client device. These communications can be accomplished by using an Independent Basic Service Set (IBSS) (also known as an ad-hoc WLAN) network in which client devices connect directly to each other or in infrastructure mode where wireless client devices connect to each other through an AP or directly when allowed. It is important to understand that ad-hoc networks are typically against most corporate security policies; however, they may be allowed in some cases. If they are used, proper security precautions must be taken. Even if they are not “allowed,” it is important to remember that, if they are not restricted on the organization’s devices, they can be created by the users. They can also be created on user-owned devices. Therefore, monitoring for them with WIPS solutions is important if the organizational policy is against them. If infrastructure mode peer-to-peer connections are not required, then enable peer-topeer blocking on the WLAN infrastructure (at the APs or controllers). WLAN equipment manufacturers use different methods to perform this task, but it is usually an easy configuration step. For networks that require this type of communications, such as wireless voice handsets or Apple Facetime, enable peer-to-peer communications. Multiple types of peer-to-peer attacks exist, and they are most common with open public access networks (wireless hotspots) where unsuspecting users leave themselves vulnerable to attackers. If the establishment that is hosting the open wireless network did not implement proper security measures such as peer-to-peer blocking, many experienced attackers are able to identify this type of wireless network and use it for a variety of attacks. These attacks include data theft and accessing the client device directly because of weak security on the client system. Man in the Middle (MITM)
■ ■ A wireless man in the middle (MITM) attack is the result of an intruder placing an unauthorized wireless device between a legitimate wireless AP and a wireless client device that is authorized to connect to and use the wireless network. The intruder gains the capability to capture and exploit all information that is passed between the authorized wireless client device and the wireless AP as that information traverses the MITM device. The possibilities of how to leverage the ill-gotten data are endless once a MITM attack has been successful. Several steps must be taken to perform a MITM attack and slight variations exist to the basic construct. We will look at a common scenario here. With minimal equipment and easily-acquired programs, a MITM attack can be fairly straightforward. It is important to understand what technology is used in this type of attack in order to protect your network from it. One common method is to use a client device (usually a laptop) with two wireless adapters. One adapter is used in conjunction with a software AP and the other used to connect to the authorized AP. The intruder forces the unsuspecting authorized user to connect to the software AP, typically with a deauth attack, and retransmits to the authorized AP using the second wireless network adapter. The success of this process assumes that the attack is performed on an open wireless network (public hotspot), or intruder has the proper credentials to connect to a secured network. Acquiring these credentials may have been the result of another attack, such as social engineering or shoulder surfing (looking over the shoulder of a target to view the username and password entered).
Figure 2-10: Hijacking Attack To perform a successful MITM attack, the intruder must first hijack the authorized wireless client device. Hijacking is performed by forcing the authorized wireless client device to connect to the intruder’s unauthorized wireless device. Given that a client connects to the AP with the strongest signal strength from the Beacon frame (or Probe Response frame), a deauth attack typically causes the client to connect to the attacker’s software AP, assuming the software AP radio is closer to the target and provides a stronger signal than the authentic AP. Once an authorized client device is hijacked, several other attacks can be conducted. MITM attacks may lead to very serious security issues, or they may simply be used for eavesdropping purposes in order to gather specific information about the network and the connected wireless devices for planning future exploits. For example, the attacker may be able to harvest website credentials used by the user, including credentials required to authenticate to a captive portal or some such system. MITM attacks can be prevented with adequate protection and proper security measures in place. Using 802.1X/EAP authentication makes it very challenging for an attacker to launch such an attack. Using memes to indicate to the user that they are at a legitimate captive portal login page (such as those used by banking websites) can help, but these depend on the user actually observing that the proper meme (graphic selected by the user
at account creation) is in view and not logging in when it is not. You can effectively perform a MITM attack using Kali Linux on an Open System authentication-only network with three tools: arpspoof, driftnet, and urlsnarf. All three tools are included in the Kalie Linux distribution. Instructions can be found in many online forums; there are even videos online that walks you through the process. Management Interface Exploits Many home and small business network users do not realize the dangers of default configurations. Wireless equipment manufacturers publish their default configurations to ease the initial configuration process, but when these parameters are not changed, they are easy to exploit. One of the first steps in staging an AP prior to placing it into service is to change any and all default configurations. These changes include the login credentials (username and password), remote access configurations, securing all required access control protocols, and disabling all protocols that are not needed. Changing default configuration parameters should be performed with home, small business, and enterprise installations. Enterprise network deployments typically specify configuration parameters as part of the corporate security policy. As a main defense against management interface exploits, the policy should document all required steps and help to ensure that everything related to staging and management of devices is covered. Physical access to the infrastructure devices, such as an AP, is an important area that must be considered. Gaining physical access to these devices can introduce many security issues. Issues include theft, device replacement, resetting to factory defaults, access to the console port that is used for configuration, and other concerns. Many solutions are available to help control physical access to APs, including special enclosures and device locks. As with configuration parameters, physical access should be identified and documented in the corporate security policy. Similarly, weak protocols such as HTTP and Telnet send session authentication traffic as clear text, and an eavesdropped session would allow access to an intruder. When management interfaces are accessible to intruders, complete DoS attacks—or worse— are very easy to perform. Some best practices recommend managing wireless infrastructure devices from a wired network connection only, and never from a wireless connection. If this is not possible, proper security must be used to ensure eavesdropping provides no security credentials or parameters that may pose a security risk to the network infrastructure. Exam Moment: Management interface exploits can be prevented by implementing proper staging and management procedures. Staging includes all tasks during the initial setup of the equipment. Perform management procedures only over secure